RSA Encryption 'Crack' Rattles Infosec Industry

A team of researchers say they've found a method for subverting RSA encryption. "This could be a big deal because there may be applications out there vulnerable to this attack," said John Hopkins' Matthew Green. RSA, however, contends the danger attributed to the research is being exaggerated.

Claims by a team of international cyrptographic researchers that they've "cracked" the RSA encryption used on a number of smartcards and secure tokens has set off a tempest in security circles.

The scientists from France, Italy, Norway and the United States have found a method for compromising the code in as little as 13 minutes. They plan to divulge more details in a paper they will present at the Crypto 2010 conference in August

"This could be a big deal because there may be applications out there vulnerable to this attack," Matthew Green, a professor specializing in cryptography in the computer science department
Johns Hopkins University, told TechNewsWorld.

"I think it could be a serious problem, but I don't know of a concrete situation where it has allowed someone to attack a system," he added.

"You can get some things off a device, but you can't get the private key," he said. "It doesn't let you clone it."

In public key cryptology, information is encrypted using a public key that's freely available to anyone. Information encrypted with a public key can only be decrypted with a private key that's paired to it. If someone could obtain a private key and make copies of it, or clone it, they could raise havoc with an organization's digital security.

Websites Getting Less Vulnerable

Despite the daily tattoo of reports about infected websites spreading malicious software, a study released last week by White Hat Security found that website security has been improving in recent years.

The study of some 7,000 websites found that the average number of serious vulnerabilities per site last year to be 79. That's a 65 percent drop over 2010, when the average was 230, and part of what has been a steady downward trend since 2007, when the average was a staggering 1,111 per site.

"Over time, though, the number of vulnerabilities we're finding in these websites is decreasing," he said. "That's a good thing."

One reason cited by Grossman for the decline in vulnerabilities is greater security awareness among developers. "Developers are getting better at writing more secure code and are seeing the importance in that," he observed.

Turning False Positives Into Sales

Events that attract global audiences, like the recently completed Euro 2012 soccer tournament or the upcoming Summer Olympics, can be both good and bad news for online retailers. The good news is the events can give their sales a boost. The bad news is the venues are magnets for cybercriminals.

To fend off digital desperadoes, many retailers put rules and policies in place to block suspicious orders. Those rules, though, are often too broadly crafted. That results is lost sales of legitimate orders, according to David Britton, vice president of industry solutions for 41st Parameter.

The attack rate from online miscreants on a retailer during one of these global events is less than one percent of retail traffic, he explained. Yet, he told TechNewsWorld, "We see as much as 7 percent of traffic being cancelled automatically and another 20 to 25 percent of traffic being held for suspicion of fraud."

"That amounts to an impact to your business of as much as 32 percent of either denied sales or delayed sales to solve a 1 percent fraud problem," he noted.

Breach Diary

June 25: Employees of U.S. Commodity Futures Trading Commission, the country's top regulator of derivatives, were informed by management that the agency's systems were compromised in May and personal information, including Social Security numbers, of employees may be at risk. No trading or market data was affected by the breach, the agency said.

June 25: Two LulzSec hackers, Ryan Cleary (Kayla) and Jake Davis (Topiary) plead guilty to a spring hacking spree that included attacks on Sony, Nintendo, News International, the Arizona State Police, PBS and HBGary Federal.

June 26: The Alaska Department of Health and Social Services agreed to pay U.S. Department of Health and Human Services US$1.7 million for alleged violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The Alaskan Agency allegedly stored electronic health information on unencrypted USB devices.

June 26: The U.S. Federal Trade Commission filed a lawsuit against Wyndham Worldwide, the franchiser of Days Inn hotels and Super 8 motels for security breaches that led to more than half a million credit card numbers being compromised and fraud losses of more than $10.6 million.

June 26: U.S. prosecutors asked a federal court in California to order alleged "Hollywood Hacker" Chris Chaney to pay $150,000 in restitution and serve five years behind bars for compromising accounts of Scarlett Johansson and other celebrities during a hacking spree last year.

June 27: The FBI lowered the hammer in a sting operation resulting in arrest of two dozen suspected hackers in eight countries. The agency estimates the operation saved legitimate credit card users more than $200 million and protected 400,000 potential victims from fraud.

June 28: The University of Texas MD Anderon Cancer Center reported that a computer containing patient information was robbed from a physician's office in April. The university is still trying to determine what information was on the computer's unencrypted hard drive.